mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-01-31 15:53:33 +08:00
48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
id: password-expiration
|
|
|
|
info:
|
|
name: Ensure Password Expiration is Configured
|
|
author: Th3l0newolf
|
|
severity: medium
|
|
description: |
|
|
The PASS_MAX_DAYS setting in /etc/login.defs defines how long a password may be used before it must be changed.To comply with CIS Ubuntu Linux Benchmark, this value should be set to a number greater than 0 and less than or equal to 365.
|
|
remediation: |
|
|
Edit /etc/login.defs and ensure the line is set to: PASS_MAX_DAYS 365 (or another value between 1 and 365).Verify the change with: grep -Pi -- '^\h*PASS_MAX_DAYS\h+\d+\b' /etc/login.defs
|
|
reference:
|
|
- https://www.cisecurity.org/benchmark/ubuntu_linux
|
|
metadata:
|
|
verified: true
|
|
tags: cis,local,cisecurity,audit,linux,ubuntu,password
|
|
|
|
self-contained: true
|
|
|
|
code:
|
|
- engine:
|
|
- bash
|
|
|
|
args:
|
|
- "-c"
|
|
- |
|
|
MAX_DAYS_LINE=$(grep -Pi -- '^\h*PASS_MAX_DAYS\h+\d+\b' /etc/login.defs | head -n1)
|
|
if [ -n "$MAX_DAYS_LINE" ]; then
|
|
VALUE=$(echo "$MAX_DAYS_LINE" | awk '{print $2}')
|
|
if [ "$VALUE" -gt 0 ] && [ "$VALUE" -le 365 ]; then
|
|
echo "[password-expiration-check:Policy-Pass] [PASS_MAX_DAYS is $VALUE (valid)] [CIS_PASS]"
|
|
else
|
|
echo "[password-expiration-check:Policy-Fail] [PASS_MAX_DAYS is $VALUE (invalid)] [CIS_FAIL]"
|
|
fi
|
|
else
|
|
echo "[password-expiration-check:Policy-Fail] [PASS_MAX_DAYS not set or malformed] [CIS_FAIL]"
|
|
fi
|
|
|
|
matchers:
|
|
- type: word
|
|
name: policy-pass
|
|
words:
|
|
- "Policy-Pass"
|
|
|
|
- type: word
|
|
name: policy-fail
|
|
words:
|
|
- "Policy-Fail"
|
|
# digest: 4a0a004730450221009cbba7657038b7d04af3978e24d438753c705b2be8c9303bb01944ae5b4e600602201d065b7a3fb76908156e03c53a22c3af9b2eaed544712284fa33520f6796396f:922c64590222798bb761d5b6d8e72950 |